Date: Mon, 2 Jul 2018 18:32:54 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: accountsservice: insufficient path check in
user_change_icon_file_authorized_cb()
On Mon, 02 Jul 2018 at 16:10:24 +0200, Jakub Wilk wrote:
> You patch uses g_file_get_path(), which AFIACT doesn't use any filesystem
> I/O for canonicalisation, so that should be fine.
It's specifically documented not to do any blocking I/O, and might provide
syntactic canonicalisation (the documentation doesn't specifically say
either way) but does not provide filesystem-aware canonicalisation.
The documentation also specifically says that the returned path "might
contain symlinks".
It might be a good idea to double-check that the result of
g_file_get_path() starts with "/", doesn't contain "/../" and (just for
completeness) doesn't end with "/..".
smcv